On Thursday, January 21, 2016 04:15:02 PM Mimi Zohar wrote: > On Thu, 2016-01-21 at 10:45 -0500, Paul Moore wrote: > > On Thursday, January 21, 2016 08:12:12 AM Mimi Zohar wrote: > > > Paul, Casey, Kees, Jon, Tetsuo does it make sense to consolidate the > > > module, firmware, and kexec pre and post security hooks and have just > > > one set of pre and post security kernel_read_file hook instead? Does > > > it make sense for this patch set to define the new hooks to allow the > > > LSMs to migrate to it independently of each other? > > > > Well, as usual, the easiest way to both get solid feedback and actually > > get a change accepted is to post patches to the affected LSMs. Probably > > not what you wanted to hear, but at least I'm honest :) > > Unless I'm misreading the code, it might be a lot simpler than I > thought. Of the three LSM hooks kernel_module_request, > kernel_module_from_file, and kernel_fw_from_file, the only upstreamed > LSM on any of these hooks is SELinux, which is only on the > kernel_module_request hook. > > After converting the SELinux kernel_module_request hook to use the new > kernel_read_file(), do I then remove the three hooks? Are we > concerned about "minor" LSMs that have not been upstreamed that might be > using these hooks? You can't worry about code that isn't upstream; if this change breaks something that hasn't been merged, then the burden lies on the out-of-tree developers to change their code. -- paul moore security @ redhat
